On 07Feb2014 00:55, Matthew Miller mattdm@fedoraproject.org wrote:
On Thu, Feb 06, 2014 at 05:38:35PM -0500, Robert P. J. Day wrote:
"For SSH to be truly effective, using insecure connection protocols should be prohibited. Otherwise, a user's password may be protected using SSH for one session, only to be captured later while logging in using Telnet. Some services to disable include telnet, rsh, rlogin, and vsftpd."
never having used sftp before, i'm confused ... isn't sftp simply a secure ftp client? and if so, why would one want to disable vsftpd? i would still need an ftp server, would i not? can someone clarify what that passage is saying? thanks.
sftp is actually a completely different protocol -- it does file transfer over an ssh channel established on the ssh port. This encrypts any passwords in transit, or can be used with ssh keys so passwords are not ever used.
By contrast, despite having the substring sftp in its name, vsftpd is a standard FTP server and by default transmits any passwords in plain text. Although to add some complication, vsftpd supports SSL, which is a relatively recent extension to the FTP protocol and may not work with all traditional ftp clients.
And, to add confusion, FTP-over-SSL is often refered to as "FTPS". Versus sftp being an ftp-like command line protocol run over ssh.
I've had to deal with people who confused the two.
Cheers,